Outlook API: Cannot access inbox. Status 401, although successfully authenticated

Question

Outlook API: Cannot access inbox. Status 401, although successfully authenticated

Uwe Weinreich 0

I need a tiny script that reads my inbox. I have set up a Python script using the Outlook API. General authentication works fine with my user ID and the client secret of the app. A token is generated successfully.

But when trying to read the inbox I receive status code 401. Something must be wrong with the URL I use to try to access the folder, I suppose:

url = f"https://graph.microsoft.com/v1.0/users/{my User ID}/mailfolders/inbox/messages?$select=id,subject,from,toRecipients,receivedDateTime&$top=25&$orderby=receivedDateTime desc"
headers = { "Authorization": f"Bearer {token}", "Accept": "application/json", "Content-Type": "application/json" }
response = requests.get(url, headers=headers)

{my user ID} is the same that was also used as authority value when authenticating with msal.ConfidentialClientApplication. There it works fine

Do I need to modify the URL? And if so, how?
Or do I need to modify settings in my user account?
Or are there specific app setting I should look at in Entra Admin Center?

SokiGuo-MSFT 31,721 Reputation points Microsoft External Staff

2024-01-15T08:05:50.7433333+00:00

Hi @Uwe Weinreich

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. If you think the reply is helpful to you, please remember to mark it as an answer. Warm thanks.

2 answers

Your answer

SokiGuo-MSFT 31,721 Reputation points Microsoft External Staff

2024-01-15T08:05:50.7433333+00:00

Hi @Uwe Weinreich

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. If you think the reply is helpful to you, please remember to mark it as an answer. Warm thanks.

Answer 1

Vasil Michev 124.1K MVP Volunteer Moderator

Confidential clients authenticate via the client credentials flow (i.e. client secret or certificate), user IDs are not involved. If you are indeed authenticating via client credentials, and thus running in the application context, you need additional permissions in order to access any given mailbox. In particular, the Mail.Read or Mail.ReadBasic application permission would do.

The URL seems fine, assuming you're passing the correct user ID. This should be the UPN of your user or its GUID. You cannot use other values, such as any of the email addresses assigned, unless it matches the UPN.

Uwe Weinreich 0 Reputation points

2024-01-09T10:40:32.57+00:00

Dear Vasil,

Thank you so much for your answer. It could actually be the solution

I have to admit, I am struggling with MS. So far, I had only been developing in Linux environments.

I have used the tenant ID that is provided in Entra for my account. It seems to be fine to create the token. But probably, this is not the UPN or GUID. Can you tell me where I can retrieve the correct UPN? I have been searching for a while now without result.

Thanks a lot,

Uwe
Uwe Weinreich 0 Reputation points

2024-01-09T10:41:29.1233333+00:00

Dear Vasil,

Thank you so much for your answer. It could actually be the solution.

I have to admit, I am struggling with MS Azure. So far, I had only been developing in Linux environments.

I have used the tenant ID that is provided in Entra for my account. It seems to be fine to create the token. But probably, this is not the UPN or GUID. Can you tell me where I can retrieve the correct UPN? I have been searching for a while now without result.

Thanks a lot,

Uwe
Vasil Michev 124.1K Reputation points MVP Volunteer Moderator

2024-01-09T10:47:24.6733333+00:00

The UPN is what you use to login to the portal or any of the apps, i.e. ******@domain.com. It usually matches the value of your (primary) email address, but that's not always the case.
Uwe Weinreich 0 Reputation points

2024-01-09T15:52:39.9733333+00:00
Thank you so much for your clear guidance. Why doesn't MS provide it that way?

These are the values I could retrieve from the Entra Admin platform:

Under Identity / Users / {me}:

User principal name = my mail address and the one of the mailbox I wanted to attend.

Identities = {registered name}.onmicrosoft.com

Object ID

Under Identity / Overview

Tenant ID

It is a two step authentication process:

First, create a token:

config["scope"] = ['https://outlook.office365.com/.default'] result = app.acquire_token_silent(config["scope"], account=None) if not result: print("No suitable token exists in cache. Let's get a new one from AAD." + "\n") result = app.acquire_token_for_client(scopes=config["scope"])

With the two values of Identities and Tenant ID, a token is successfully created. The other don't take effect here.

Second, read the inbox:

[ see my initial post ]

None of the above mentioned values works here neither after creating a token with Identities nor Tenant ID.

I'm still stuck. Still receiving only 401.

If you have another idea, please, let me know.
THANKS!
Vasil Michev 124.1K Reputation points MVP Volunteer Moderator

2024-01-09T16:10:04.9833333+00:00
OK, let's back up a bit. The code you are using for obtaining the token is for a confidential client (i.e. an application, not a user). Technically, you can use this method, but it requires additional permissions to be granted on the application. More importantly, you are getting a token for a different resource, the scope you need to use for the Graph API is "https://graph.microsoft.com/.default".

So here are few things to try:

Change the scope in the code above to "https://graph.microsoft.com/.default", try obtaining a token

If the token is obtained OK, try running the GET https://graph.microsoft.com/v1.0/users/{my User ID}/mailfolders/inbox/messages query.

If it fails, either grab a screenshot of your app configuration in the Entra portal, in particular the API Permissions page, or decode the token via the jwt.ms tool and paste the result here. The point being, we need to also make sure that you have the required permissions, apart from having a valid token.

Related to the above, when adding permissions via the API permissions page, do make sure you are adding them for the Graph API resource (which is the default). The type of permission also matters, assuming you want to use Application permissions, make sure the Mail.Read (or Mail.ReadBasic) scope is added. And, make sure consent is granted!

And just in case, we talking about an Microsoft 365 mailbox you want to access, not an Outlook.com one, correct? Both can work, but the devil is in the details.

All the above is using the assumption that you want to perform this operation in the application context (as daemon app). You also have the option to run it as a given user, though some of the automation aspects will be lost in this case (obtaining a token in the user context is almost always an interactive operation).

Answer 2

Uwe Weinreich 0

The issue was solved. Additionally, I needed to set the App's access rules correctly. There was a major mistake. Thanks a lot, Vasil!

SokiGuo-MSFT 31,721 Reputation points Microsoft External Staff

2024-01-15T09:06:15+00:00

Hi

Thanks for your reply! Glad to see it is helpful. Due to a recent update in forum policy, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Share via

Outlook API: Cannot access inbox. Status 401, although successfully authenticated

2 answers

Your answer